System and method for detecting malicious activity and classifying a network communication based on different indicator types

US 10,033,753 B1
Filed: 04/24/2017
Issued: 07/24/2018
Est. Priority Date: 05/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for detecting communications associated with a cyber-attack, comprising:

parsing packets of a network communication to identify at least network addressing information within the packets;

performing a first analysis on the network addressing information to determine whether the network addressing information corresponds to one or more high quality indicators, each high quality indicator of the one or more high quality indicators (i) identifies a strong correlation with a malicious activity and (ii) is represented by a first value being a score generated for the high quality indicator for use in classifying the network communication;

performing a second analysis on content of the network communication other than the network addressing information to determine whether the analyzed content of the network communication corresponds to one or more supplemental indicators, each supplemental indicator of the one or more supplemental indicators (i) identifies an anomaly in the content of the network communication and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication; and

classifying the network communication as part of the cyber-attack by (i) classifying the network communication as being part of the cyber-attack when one or more values of the one or more high quality indicators exceeds a predetermined threshold without consideration of the one or more supplemental indicators, and (ii) in response to the one or more first values corresponding to the one or more high quality indicators failing to exceed the predetermined threshold, using the one or more second values representing the one or more supplemental indicators with at least the one or more first values to classify the communication as being part of the cyber-attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of a method for detecting a cyber-attack features first and second analyzes. The first analysis is conducted on content of a communication to determine at least a first high quality indicator. The first high quality indicator represents a first probative value for classification. The second analysis is conducted on metadata related to the content to determine supplemental indicator(s). Each of the supplemental indicator(s) is represented by a probative value for classification. The communication is classified as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values for the supplemental indicator(s). In response to the first high quality indicator failing to classify the network communication, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify the network communication as being part of the cyber-attack.

Citations

25 Claims

1. A computerized method for detecting communications associated with a cyber-attack, comprising:
- parsing packets of a network communication to identify at least network addressing information within the packets;
  
  performing a first analysis on the network addressing information to determine whether the network addressing information corresponds to one or more high quality indicators, each high quality indicator of the one or more high quality indicators (i) identifies a strong correlation with a malicious activity and (ii) is represented by a first value being a score generated for the high quality indicator for use in classifying the network communication;
  
  performing a second analysis on content of the network communication other than the network addressing information to determine whether the analyzed content of the network communication corresponds to one or more supplemental indicators, each supplemental indicator of the one or more supplemental indicators (i) identifies an anomaly in the content of the network communication and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication; and
  
  classifying the network communication as part of the cyber-attack by (i) classifying the network communication as being part of the cyber-attack when one or more values of the one or more high quality indicators exceeds a predetermined threshold without consideration of the one or more supplemental indicators, and (ii) in response to the one or more first values corresponding to the one or more high quality indicators failing to exceed the predetermined threshold, using the one or more second values representing the one or more supplemental indicators with at least the one or more first values to classify the communication as being part of the cyber-attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the first value being a probative value that is greater than a probative value of any of the one or more corresponding values representing the one or more supplemental indicators.
  - 3. The method of claim 1, wherein the network addressing information includes an uniform resource locator (URL).
  - 4. The method of claim 3, wherein the network communication is classified as being part of the cyber-attack when the one or more first values of the first high quality indicator exceeds the predetermined threshold.
  - 5. The method of claim 3, wherein the one or more second values representing the one or more supplemental indicators are used with at least the one or more first values to classify the network communication as being part of the cyber-attack in response to the one or more first values of the one or more high quality indicators failing to exceed the predetermined threshold and being greater than a second predetermined threshold that is less than the predetermined threshold.
  - 6. The computerized method of claim 3, wherein the cyber-attack includes a command and control (CnC) communication operating as a callback.
  - 7. The method of claim 3, wherein the performing of the first analysis on the network addressing information of the network communication comprises determining whether the URL compares to any of a plurality of URLs that are known to be associated with malicious activity that is part of the cyber-attack.
  - 8. The method of claim 7, wherein the determining whether the URL compares to any of the plurality of URLs comprises performing a hash operation on the URL to produce a hash result and comparing the hash result to a plurality of hash results that correspond to a plurality of URLs for previously analyzed communications that are determined to be part of the cyber-attack.
  - 9. The method of claim 3, wherein the performing of the first analysis on the network addressing information of the network communication comprises assessing reputation information associated with the URL and determining whether the URL is associated with the malicious activity that is part of the cyber-attack based on the reputation information.
  - 10. The method of claim 9, wherein the reputation information includes at least one of (i) a length of time a domain associated with the URL has been registered, or (ii) a country in which an Internet Protocol (IP) address of the URL is located.
  - 11. The method of claim 10, wherein the reputation information further includes at least one of (i) a determination whether a web site accessible via the URL uses a security protocol to protect communications with the web site, or (ii) a name of the Internet Service Provider (ISP) hosting the web site.
  - 12. The method of claim 3, wherein the performing of the first analysis on the network addressing information of the network communication comprises an analysis of a reputation of a domain name of the URL to determine a probability that a detected presence of the domain name indicates the network communication is part of the cyber-attack.
  - 13. The method of claim 3, wherein the performing of the first analysis on the network addressing information of the network communication comprises an analysis of a reputation of an Internet Protocol (IP) address of the URL to determine a probability that a detected presence of the IP address indicates the network communication is part of the cyber-attack.
  - 14. The method of claim 1, where the performing of the second analysis on the content of the network communication other than the network addressing information comprises performing an analysis of components of a header of the network communication being a network communication to detect a protocol anomaly.
  - 15. The method of claim 1, wherein the performing of the first analysis, the performing of the second analysis and the classifying of the communication is entirely conducted with a cloud based facility.
  - 16. The method of claim 1, wherein the performing of the first analysis, the performing of the second analysis and the classifying of the communication is entirely conducted with a malware content detection (MCD) system.
  - 17. The method of claim 1, wherein the first value being a probative value representing a mathematical combination of the one or more values associated with the one or more high quality indicators, including the first value.

18. A computer implemented method for detecting a cyber-attack, comprising:
- performing a first analysis on an uniform resource locator (URL) included as part of a network communication to determine whether the URL corresponds to at least a first high quality indicator, the first high quality indicator (i) identifying a strong correlation with a malicious activity and (ii) being represented by at least a first probative value being a score generated for the first high quality indicator for use in classifying the network communication;
  
  performing a second analysis on metadata related to the URL included as part of the network communication to determine whether the analyzed metadata corresponds to one or more supplemental indicators, each of the one or more supplemental indicators being represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication; and
  
  classifying the network communication including the URL as part of the cyber-attack by (i) classifying the network communication as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values associated with the one or more supplemental indicators, and (ii) in response to the first high quality indicator failing to classify the network communication, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify the network communication as being part of the cyber-attack.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method of claim 18, wherein the first probative value is greater than any corresponding probative value for the one or more supplemental indicators.
  - 20. The method of claim 18, wherein the metadata includes attributes related to content within data packets forming the network communication.
  - 21. The method of claim 18, wherein the content within the data packets include content within one or more headers of the data packets forming the network communication, the content being different than the URL.
  - 22. The method of claim 18, wherein the metadata includes attributes of suspicious content being part of the network communication and targeted to a destination accessible via the URL.
  - 23. The method of claim 18, wherein the performing of the first analysis on the URL comprises parsing packets of the network communication to extract the URL and determining whether the URL compares to any of a plurality of URLs that are known to be associated with malicious activity that is part of the cyber-attack.

24. A system for detecting a cyber attack, comprising:
- one or more processors;
  
  a memory communicatively coupled to the one or more processors, the memory includesa recommending engine that, when executed by the one or more processors, is configured to perform a first analysis on network addressing information of packets of a network communication to determine whether the network addressing information corresponds to one or more high quality indicators, each high quality indicator of the one or more high quality indicators (i) identifies a strong correlation with a malicious activity and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication,a supplemental indicator generator that, when executed by the one or more processors, is configured to perform a second analysis on content of the network communication other than the network addressing information to determine whether the analyzed content of the network communication corresponds to one or more supplemental indicators, each supplemental indicator of the one or more supplemental indicators (i) identifies an anomaly in the content of the network communication and (ii) is represented by a second value being a score generated for the supplemental indicator for use in classifying the network communication, anda classifying engine that, when executed by the one or more processors, is configured to classify the network communication as part of the cyber-attack by at least (i) classifying the communication as being part of the cyber-attack when at least the first value, representing at least the one or more high quality indicators exceeds a predetermined threshold without consideration of the one or more second values of the one or more supplemental indicators, and (ii) in response to the one or more first values falling below the predetermined threshold, using the one or more second values representing the one or more supplemental indicators with at least the one or more first values to classify the communication as being part of the cyber-attack.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein the memory further comprising:
    - a report generator that, when executed by the one or more processors, is configured to issue an alert in response to the classifying engine classifying the communication as a part of a cyber-attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Islam, Ali, Bu, Zheng
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Callahan, Paul E

Application Number

US15/495,629
Time in Patent Office

456 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

System and method for detecting malicious activity and classifying a network communication based on different indicator types

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malicious activity and classifying a network communication based on different indicator types

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links